lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <0dc7497f-0f90-4667-85e3-822ec5e98417@mev.co.uk>
Date: Thu, 24 Jul 2025 12:11:10 +0100
From: Ian Abbott <abbotti@....co.uk>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 H Hartley Sweeten <hsweeten@...ionengravers.com>,
 Edward Adam Davis <eadavis@...com>, syzkaller-bugs@...glegroups.com,
 stable@...r.kernel.org, syzbot+5cd373521edd68bebcb3@...kaller.appspotmail.com
Subject: Re: [PATCH V3 REPOST] comedi: pcl726: Prevent invalid irq number

On 24/07/2025 12:07, Ian Abbott wrote:
> From: Edward Adam Davis <eadavis@...com>
> 
> The reproducer passed in an irq number(0x80008000) that was too large,
> which triggered the oob.
> 
> Added an interrupt number check to prevent users from passing in an irq
> number that was too large.
> 
> If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid
> because it shifts a 1-bit into the sign bit (which is UB in C).
> Possible solutions include reducing the upper bound on the
> `it->options[1]` value to 30 or lower, or using `1U << it->options[1]`.
> 
> The old code would just not attempt to request the IRQ if the
> `options[1]` value were invalid.  And it would still configure the
> device without interrupts even if the call to `request_irq` returned an
> error.  So it would be better to combine this test with the test below.
> 
> Fixes: fff46207245c ("staging: comedi: pcl726: enable the interrupt support code")
> Cc: <stable@...r.kernel.org> # 5.13+
> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> Reported-by: syzbot+5cd373521edd68bebcb3@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=5cd373521edd68bebcb3
> Tested-by: syzbot+5cd373521edd68bebcb3@...kaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@...com>
> Reviewed-by: Ian Abbott <abbotti@....co.uk>

I forgot to append the changelog from the original email:

V1 -> V2: combine test with old test
V2 -> V3: fix misspelled

Ian

-- 
-=( Ian Abbott <abbotti@....co.uk> || MEV Ltd. is a company  )=-
-=( registered in England & Wales.  Regd. number: 02862268.  )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ